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Abstract 

The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of 
quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these 
systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked 
|Vaz07j: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a 
falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform 
a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results 
to predictions? 

To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard 
Interactive Proofs BGMR851 the prover is computationally unbounded, here our prover is in BQP, representing a 
quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access 
to few qubits. Our main theorem can be roughly stated as: "Any language in BQP has a QPIP, and moreover, a 
fault tolerant one". We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum 
authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault t olerant. Ou r 
second protocol uses polynomial codes QAS due to Ben-Or, Crepeau, Gottesman, Hassidim, and Smith |BOCG + O6l . 
combined with quantum fault tolerance and secure multiparty quantum computation techniques. A slight modification 
of our constructions makes the protocol "blind": the quantum computation and input remain unknown to the prover. 

After we have derived the results, we have learnt that Broadbent, Fitzsimons, and Kashefi |BFK08 | have inde- 
pendently derived "universal blind quantum computation" using completely different methods (measurement based 
quantum computation). Their construction implicitly implies similar implications. 
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1 Introduction 



1.1 Motivation 

As far as we know today, the quantum mechanical description of many-particle systems requires exponential resources 
to simulate. This has the following fundamental implication: the results of an experiment conducted on a many-particle 
physical system described by quantum mechanics, cannot be predicted (in general) by classical computational devices, 
in any reasonable amount of time. This important realization (or belief), which stands at the heart of the interest in 
quantum computation, led Vazirani to ask 1 Vaz071 : Is quantum mechanics a falsifiable physical theory? Assuming that 
small quantum systems obey quantum mechanics to an extremely high accuracy, it is still possible that the physical 
description of large systems deviates significantly from quantum mechanics. Since there is no efficient way to make 
the predictions of the experimental outcomes for most large quantum systems, there is no way to test or falsify this 
possibility experimentally, using the usual scientific paradigm, as described by Popper. 

This question has practical implications. Experimentalists who attempt to realize quantum computers would like 
to know how to test that their systems indeed perform the way they should. But most tests cannot be compared to any 
predictions! The tests whose predictions can in fact be computed, do not actually test the more interesting aspects of 
quantum mechanics, namely those which cannot be simulated efficiently classically. 

The problem arises in cryptographic situations as well. Consider for example, a company called Q-Wave which is 
trying to convince a certain potential customer that the system it had managed to build is in fact a quantum computer 
of 100 qubits. How can the customer, who cannot make predictions of the outcomes of the computations made by the 
machine, test that the machine is indeed a quantum computer which does what it is claimed to do? Given the amounts 
of grant money and prestige involved, the possibility of dishonesty of experimentalists and experimentalists' bias inside 
the academia should not be ignored either [Roo03 Wik08 1. 

There is another related question that stems from cryptography. It is natural to expect that the first generations 
of quantum computers will be extremely expensive, and thus quantum computations would be delegated to untrusted 
companies. Is there any way for the costumer to trust the outcome, without the need to trust the company which 
performed the computation, even though the costumer cannot verify the outcome of the computation (since he cannot 
simulate it)? And even if the company is honest, can the costumer detect innocent errors in such a computation? 

Vazirani points out [Vaz07] that in fact, an answer to these questions is already given in the form of Shor's 
algorithm. Indeed, quantum mechanics does not seem to be falsifiable using the usual scientific paradigm, assuming 
that BQP is strictly lager than BPP. However, Shor's algorithm does provide a way for falsification, by means of an 
experiment which lies outside of the scientific paradigm: though its result cannot be predicted and then compared to the 
experimental outcome, it can be verified once the outcome of the experiment is known (by simply taking the product of 
the factors and checking that this gives the input integer). 

This, however, does not fully address the issues raised above. Let us take for example the case of the company trying 
to convince a costumer that the system it is trying to sell is indeed a quantum computer of 100 qubits. Such a system 
is already too big to simulate classically; However, any factoring algorithm that is run on a system of a 100 qubits can 
be easily performed by today's classical technology. For delegated quantum computations, how can Shor's algorithm 
help in convincing a costumer of correctness of, say, the computation of the BQP complete problem of approximating 
the Jones polynomial I AJL061 [AA06I ? As for experimental results, it is difficult to rigorously state what is exactly 
falsified or verified by the possibility to apply Shor's algorithm. Finally, from a fundamental point of view, there is a 
fundamental difference between being convinced of the ability to factor, and testing universal quantum evolution. 

We thus pose the following main question: Can one be convinced of the correctness of the computation of any 
polynomial quantum circuit? Does a similar statement to the one above, regarding Shor's algorithm, apply for universal 
quantum computation? Alternatively, can one be convinced of the "correctness" of the quantum mechanical description 
of any quantum experiment that can be conducted in the laboratory, even though one cannot compute any predictions 
for the outcomes of this experiment? In this paper we address the above fundamental question in a rigorous way. We do 
this by taking a computational point of view on the interaction between the supposed quantum computer, and the entity 
which attempts to verify that it indeed computes what it should. 

1.2 Quantum Prover Interactive Proofs (QPIP) 

Interactive proof systems, defined by Goldwasser, Micali and Rackoff IGMR85I . play a crucial role in the theory of 
computer science. Roughly, a language C is said to have an interactive proof if there exists a computationally unbounded 
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prover (denoted V) and a BPP verifier (V) such that for any x £ CP convinces V of the fact that x E C with probability 
> | (completeness). Otherwise, when x ^ C any prover fails to convince V with probability higher than | (soundness). 

Shor's factoring algorithm [Sho97] can be viewed as an interactive proof of a very different kind: one between a 
classical BPP verifier, and a quantum polynomial time (BQP) prover, in which the prover convinces the verifier of the 
factors of a given number (this can be easily converted to the usual IP formalism of membership in a language). This is 
a quantum interactive proof of a very different kind than quantum interactive proofs previously studied in the literature 
| Wat03 1, in which the prover is an unbounded quantum computer, and the verifier is a BQP machine. 

Clearly, such an interactive proof between a BQP prover and a BPP verifier exists for any problem inside NPn 
BQP. However, it is widely believed that BQP is not contained in NP ( and in fact not even in the polynomial hierarchy). 
The main idea of the paper is to generalize the above interactive point of view of Shor's's algorithm, and show that with 
this generalization, a verifier can be convinced of the result of any polynomial quantum circuit, using interaction with 
the prover - the quantum computer. 

To this end we define a new model of quantum interactive proofs which we call quantum prover interactive proofs 
(QPIP). The simplest definition would be an interactive proof in which the prover is a BQP machine and the verifier 
a BPP classical machine. In some sense, this model captures the possible interaction between the quantum world (for 
instance, quantum systems in the lab) and the classical world. However, this model does not suffice for our purposes. 
We therefore modify it a little, and allow the verifier additional access to a constant number of qubits. The verifier can 
be viewed as modeling our current computational abilities, and so in some sense, the verifier in the following system 
represents "us". 

Definition 1.1 Quantum Prover Interactive Proof ( QPIP) is an interactive proof system with the following properties: 

• The prover is computationally restricted to BQP. 

• The verifier is a hybrid quantum-classical machine. Its classical part is a BPP machine. The quantum part is a 
register of c qubits (for some constant c), on which the prover can perform arbitrary quantum operations. At any 
given time, the verifier is not allowed to possess more than c qubits. The interaction between the quantum and 
classical parts is the usual one: the classical part controls which operations are to be performed on the quantum 
register, and outcomes of measurements of the quantum register can be used as input to the classical machine. 

• There are two communication channels: one quantum and one classical. 
The completeness and soundness conditions are identical to the IP conditions. 

Abusing notation, we denote the class of languages for which such a proof exists also by QPIP. 

1.3 Main Results 

Definition 1.2 The promise problem Q-CIRCUIT consists of a quantum circuit made of a sequence of gates, U = 
Ut- ■ XJ\, acting on n input bits. The task is to distinguish between two cases: 

Q-CIRCUIT YES : 1 1 ( ( 1 0) (0 1 <g> X„_ 1 ) U | 0) 1 1 2 > § 
Q-CIRCUIT N0 : || ((|0) (0| ®l n ^)U\0) || 2 < ± 

Q-CIRCUIT is a BQP complete problem, and moreover, this remains true for other soundness and completeness 
parameters < s, c < 1, if c — s > Pol y^ ■ Our main result is: 

Theorem 1.1 The language Q-CIRCUIT has a QPIP. 

Since Q-CIRCUIT is BQP complete, and QPIP is trivially inside BQP, we have: 

Theorem 1.2 BQP = QPIP. 

Thus, a BQP the prover can convince the verifier of any language he can compute. We remark that our definition of 
QPIP is asymmetric - the verifier is "convinced" only if the quantum circuit outputs 1. This asymmetry seems irrelevant 
in our context of verifying correctness of quantum computations. Indeed, it is possible to define a symmetric version of 
QPIP, (we denote it by QP\P svm ) in which the verifier is convinced of correctness of the prover's outcome (in both 
and 1 cases) rather than of membership of the input in the language, namely in the 1 case only. That BQP = QP\P sym 
follows quite easily from the fact that BQP is closed under complement (see AppendixlHl. 

Moreover, the above results apply in a realistic setting, namely with noise: 
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Theorem 1.3 Theorem U. l\ holds also when the quantum communication and computation devices are subjected to the 
usual local noise model assumed in quantum fault tolerance settings. 

In the works IChiOll IASQ6H a related question was raised: in our cryptographic setting, if we distrust the company 
performing the delegated quantum computation, we might want to keep both the input and the function which is being 
computed secret. Can this be done while maintaining the confidence in the outcome? A simple modification of our 
protocols gives 

Theorem 1.4 Theorem U 3\ holds also in a blind setting, namely, the prover does not get any information regarding the 
function being computed and its input. 

We note that an analogous result for NP-hard problems was shown already in the late 80's to be impossible unless 
the polynomial hierarchy collapses 1AFK87II . 

1.4 Proofs Overview (and More Results About Quantum Authentication Schemes) 

Our main tool is quantum authentication schemes (QAS) |BCG + 02| . Roughly, a QAS allows two parties to communi- 
cate in the following way: Alice sends an encoded quantum state to Bob. The scheme is secure if upon decoding, Bob 
gets the same state as Alice had sent unless it was altered, whereas if the state had been altered, then Bob's chances of 
declaring valid a wrong state are small. The basic idea is that similar security can be achieved, even if the state needs 
to be rotated by unitary gates, as long as the verifier can control how the unitary gates affect the authenticated states. 
Implementing this simple idea in the context of fault tolerance encounters several complications, which we explain later. 

We start with a simple QAS and QPIP, which we do not know how to make fault tolerant, but which demonstrates 
some of the ideas and might be of interest on its own due to its simplicity. 

Clifford QAS based QPIP. We present a new, simple and efficient QAS, based on random Clifford group operations 
(it is reminiscent of Clifford based quantum i-designs liAE07l [ABW08l ). To encode a state of m qubits, tensor the state 
with d qubits in the state |0), and apply a random Clifford operator on the m + d qubits. The security proof of this QAS 
uses a combination of known ideas. We first prove that any attack of Eve is mapped by the random Clifford operator to 
random Pauli operators. We then show that those are detected with high probability. This QAS might be interesting on 
its own right due to its simplicity. 

To construct a QPIP using this QAS, we simply use the prover as an untrusted storage device: the verifier asks 
the prover for the authenticated qubits on which he would like to apply the next gate, decodes them, applies the gate, 
encodes them back and sends them to the prover. The proof of security is quite straight forward given the security of 
the QAS. 

Due to the lack of structure of the authenticated states, we do not know how to make the prover apply gates on 
the states without revealing the key. This seems to be necessary for fault tolerance. The resulting QPIP protocol also 
requires many rounds of quantum communication. 

Polynomial codes based QAS and its QPIP Our second type of QPIP uses a QAS due to Ben-Or, Crepeau, 
Gottesman, Hassidim and Smith llBOCG+061 . This QAS is based on signed quantum polynomial codes, which are 
quantum polynomial codes | ABQ97 || of degree at most d multiplied by some random sign (1 or — 1) at every coordinate 
(this is called the sign key) and a random Pauli at every coordinate (the pauli key). 

We present here a security proof which was missing from the original paper lBOCG+061 . The proof requires some 
care, due to a subtle point, which was not addressed in |BOCG + O6l . We first prove that no Pauli attack can fool more 
than a small fraction of the sign keys, and thus the sign key suffices in order to protect the code from any Pauli attack. 
Next, we need to show that the scheme is secure against general attacks. This, surprisingly, does not follow by linearity 
from the security against pauli attacks (as is the case in quantum error correcting codes): if we omit the Pauli key we get 
an authentication scheme which is secure against Pauli attacks but not against general attacks. We proceed by showing, 
(with some similarity to the Clifford based QAS), that the random Pauli key effectively translates Eve's attack to a 
mixture (not necessarily uniform like in the Clifford case) of Pauli operators acting on a state encoded by a random 
signed polynomial code. 

Due to its algebraic structure, the signed polynomial code QAS allows applying gates without knowing the key. 
This was used in teOCG+061 for secure multiparty quantum computation; here we use it to allow the prover to perform 
gates without knowing the authentication key. 
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The QPIP protocol goes as follows. The pro ver receives all authenticated qubits in the beginning. Thos e include the 
inputs to the circuit, as well as authenticated magic states required to perform Toffoli gates, as described in |BOCG + O6l 
INCG00I . With those at hand, the prover can perform universal computation using only Clifford group operations 
and measurements (universality was proved for qubits in | BK053. and the extension to higher dimensions was used in 
llBOCG+06t ). The prover sends the verifier results of measurements and the verifier sends information given those 
results, which enables the prover to continue the computation. The communication is thus classical except for the first 
round. 

Fault Tolerance Using the polynomial codes QAS enables applying known fault tolerance techniques based on 
polynomial quantum codes IIABQ97I |BOCG + O6l to achieve robustness to local noise. However, a problem arises 
when attempting to apply those directly: in such a scheme, the verifier needs to send the prover polynomially many 
authenticated qubits every time step, so that the prover can perform error corrections on all qubits simultaneously. 
However, the verifier's quantum register contains only a constant number of qubits, and so the rate at which he can send 
authenticated qubits (a constant number at every time step) seems to cause a bottleneck in this approach. 

We bypass this problem is as follows. At the first stage of the protocol, authenticated qubits are sent from the 
verifier to the prover, one by one. As soon as the prover receives an authenticated qubit, he protects his qubits 
using his own concatenated error correcting codes so that the effective error in the encoded authenticated qubit is 
constant. This constant accuracy can be maintained for a long time by the prover, by performing error correction with 
respect to his error correcting code. Thus, polynomially many such authenticated states can be passed to the prover in 
sequence. A constant effective error is not good enough, but can be amplified to an arbitrary inverse polynomial by 
purification. Indeed, the prover cannot perform purification on his own since the purification compares authenticated 
qubits and the prover does not know the authentication code; However, the verifier can help in the prover's using 
classical communication. This way the prover can reduce the effective error on his encoded authenticated qubits to 
inverse polynomial, and perform the usual fault tolerant construction of the given circuit, with the help of the prover in 
performing the gates. 

Blind Quantum Computation To achieve Theorem ll.4l we modify our construction so that the circuit that the prover 
performs is a universal quantum circuit, i.e., a fixed sequence of gates which gets as input a description of a quantum 
circuit, plus an input string to that circuit, and applies the input quantum circuit to the input string. Since the universal 
quantum circuit is fixed, it reveals nothing about the input quantum circuit or the input string to it. 

1.5 Interpretations of the Results 

The corollaries below clarify the connection between the results and the motivating questions, and show that one can 
use the QPIP protocols designed here, to address the various issues raised in Sec. 11. 11 

We start with some basic question. Conditioned that the verifier does not abort, does he know that the final state of 
the machine is very close to the correct state that was supposed to be the outcome of the computation? This unfortunately 
is not the case. It may be that the prover can make sure that the verifier abort with very high probability, but when he 
does not abort, the computation is wrong. However a weaker form of the above result holds: if we know that the 
probability of not to abort is high, then we can deduce something about correctness. 

Corollary 1.5 For a QPIP protocol with security parameter 8, if the verifier does not abort with probability > 7 then 
the trace distance between the final density matrix and that of the correct state is at most — 

The proof is simple and is given in Appendix [Gl 

Further interpreting Theorem ll.2l we show that under a somewhat stronger assumption than BQP 7^ BPP, but still a 
widely believed assumption, it is possible to lower bound the computational power of a successful prover and show that 
it is not within BPP. Assuming that there is a language L £ BQP and there is a polynomial time samplable distribution 
D on which any BPP machine errs with non negligible probability (e.g. the standard cryptographic assumptions about 
the hardness of Factoring or Discrete Log), we have 

Corollary 1.6 For such a language L, if the verifier interacts with a given prover for the language L, and does not 
abort with high probability, then the prover's computational power cannot be simulated by a BPP machine. 
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This corollary follows immediately from Corollary 1 1.5 1 

One might wonder whether it is possible to somehow get convinced not only of the fact that the computation that 
was performed by the prover is indeed the desired one, but also that the prover must have had access to some quantum 
computer. We prove: 

Corollary 1.7 There exists a language C £ BQP such that even if the prover in our QPIP is replaced by one with 
unbounded classical computational power, but only a constant number of qubits, the prover will not be able to convince 
the verifier to accept: V in this case aborts the computation with high probability. 

This means that our protocols suggests yet another example in which quantum mechanics cannot be simulated by 
classical systems, regardless of how computationally powerful they are. This property appears already in bounded 
storage models [Wat99|, and of course (in a different setting) in the EPR experiment. 

Finally, we remark that in the study of the classical notion of IP, a natural question is to ask how powerful the prover 
must be, to prove certain classes of languages. It is known that a PSPACE prover is capable of proving any language in 
PSPACE, and similarly, it is known that NP or #P restricted provers can prove any language which they can compute. 
This is not known for CONP, SZK or PH IAB1 . It is natural to ask what is the power of a BQP prover; our results imply 
that such a prover can prove the entire class of BQP (albeit to a verifier who is not entirely classical). Thus, we provide 
a characterization of the power of a BQP prover. 

1.6 Related Work and Open Questions 

The two questions regarding the cryptographic angle were asked by Childs in BChiOll . and by Arrighi and Salvail in 
BAS06II . who proposed schemes to deal with such scenarios. However j C hiO 1 i| do not deal with a cheating prover, and 
BAS06II deals with a restricted set of functions that are classically verifiable. 

After deriving the results of this work, we have learned that Broadbent, Fitzsimons, and Kashefi [BFK08| have 
proven related results. Using measurement based quantum computation, they construct a protocol for universal blind 
quantum computation. In their case, it suffices that the verifier's register consists of a single qubit. Their results imply 
similar implications to ours, though these are implicit in 1BFK081 . 

An important and intriguing open question is whether it is possible to remove the necessity for even a small quantum 
register, and achieve similar results in the more natural QPIP model in which the verifier is entirely classical. This would 
have interesting fundamental implications regarding the ability of a classical system to learn and test a quantum system. 

Another interesting (perhaps related?) open question is to study the model we have presented here of QPIP, 
with more than one prover. Possibly, multiprover QPIP might be strong enough even when restricted to classical 
communication. 

This work also raises some questions in the philosophy of science. In particular, it suggests the possibility of 
formalizing, based on computational complexity notions, the interaction between physicists and Nature; perhaps the 
evolution of physical theories.. Following discussions with us at preliminary stages of this work, Jonathan Yaari is 
currently studying "interactive proofs with Nature" from the philosophy of science aspect IIYaa081 . 

Paper Organization We start by some notations and background in Sec. [2] In Sec. [3] we present both our QAS and 
prove their security. In Sec. |4]we present our QPIP protocols together some aspects of their security proofs. Other 
proofs are delayed to the appendices due to lack of space: Fault tolerance is explained in Appendix[E] Blind delegated 
quantum computation is proved in Appendix|F] The corollaries related to the interpretations of the results are proven in 
AppendixlGl 

2 Background 

2.1 Pauli and Clifford Group 

Let P n denote the n-qubits Pauli group. P = Pi® P 2 ®. . .®P n were Pi G {1, X, Y, Z}. 

Definition 2.1 Generalized Pauli operator over F q : X \ a) = \(a + 1) mod q) , Z \ a) = id® \ a) , Y = XZ, where 
uj q = e 27!l / q is the primitive q-root of the unity. 

We note that ZX = uj q XZ. We use the same notation, P„, for the standard and generalized Pauli groups, as it will be 
clear by context which one is being used. 



5 



Definition 2.2 For vectors x, z in F™, we denote a P X)Z the Pauli operator Z Zl X Xl ®. . .®Z Zm X Xm . 

We denote the set of all unitary matrices over a vector space A as \J(A). The Pauli group V n is a basis to the 
matrices acting on n-qubits. In particular, we can write any matrix U G U(A (g) B) for A the space of n qubits, as 
J2pev P ® Up with Up some matrix on B. 

Let €„ denote the n,-qubit Clifford group. Recall that it is a finite subgroup of U(2 n ) generated by the Hadamard 

matrix-H, by K = ( ?J ? ) , and by controlled-NOT. The Clifford group is characterized by the property that it maps 



v i / 

the Pauli group P„ to itself, up to a phase a e {±1, ±i}. That is: VC G £„,Pe F„ : aCPC t € P„ 

Fact 2.1 A random element from the Clifford group on n qubits can be sampled efficiently by choosing a string k of 
poly(n) length uniformly at random. The map from k to the group element represented as a product of Clifford group 
generators can be computed in classical polynomial time. 

2.2 Signed Polynomial Codes 

For background on polynomial quantum codes see AppendixlAl 

Definition 2.3 ( ||BOCG + 06| ) The signed polynomial code with respect to a string k <E {±1}™ (denoted Ck) is defined 
by: 

|S a fe ) d =4= E \ki-f(a 1 )...k m -f(a m )) (1) 

Vl f:def(f)<dj(0)=a 

We use m = 2d + 1. In this case, the code can detect d errors. Also, Ck is self dual flBOCG + 06l , namely, the code 
subspace is equal to the dual code subspace. 

3 Quantum Authentication 

3.1 Definitions 

Definition 3.1 (adapted from Barnum et. al. kBCG + 02\l ). A quantum authentication scheme (QAS) is a pair of 
polynomial time quantum algorithms A and B together with a set of classical keys K, such that: 

• A takes as input an m-qubit message system M and a key k G /C and outputs a transmitted system T of m + d 
qubits. 

• B takes as input the (possibly altered) transmitted system T and a classical key k £ K, and outputs two systems: a 
m-qubit message state M, and a single qubit V which indicate whether the state is considered valid or erroneous. 
The basis states ofV are called \ VAL) , \ABR). For a fixed k we denote the corresponding super-operators by 
A k and B k . 

Given a pure state \tp), consider the following test on the joint system M, V : output a 1 if the first m qubits are in 
state \ip) or if the last qubit is in state \ ABR), otherwise, output 0. The corresponding projections are: 

= \4>){<l>\®I v + (I M -\il>){<l>\)®\ABR)(ABR\ (2) 
pM - {I M -\^)m®\VAL){VAL\ (3) 

The scheme is secure if for all possible input states \ip) and for all possible interventions by the adversary, the expected 
fidelity of S's output to the space defined by is high: 

Definition 3.2 A QAS is secure with error e if for every state \ip) it holds: 

• Completeness: For all keys k G /C : B k (A k (\tp} = \ip) ® \VAL) (VAL\ 

• Soundness: For any super-operator O ( representing a possible intervention by the adversary), if pp is defined by 
definedby p B = 4^ B k (0(A k (\^) (ifj\))), then: Tr(P^ } p B ) > 1 - e. 
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3.2 Clifford Authentication Scheme 



Protocol 3.1 Clifford based QAS : Given is a state \ip) on m qubits and d G N a security parameter. We denote 
n = to + d. The set of keys IC consists of succinct descriptions of Clifford operations on n qubits (following Fact \2.1\ . 
We denote by C ~ Ck the operator specified by a key k G IC. 

• Encoding - A^: Alice applies Ck on the state \ijf) g) |0)® d . 

• Decoding - B^: Bob applies Ct to the received state. Bob measures the auxiliary registers and declares the state 
valid if they are all 0, otherwise Bob aborts. 

Theorem 3.1 The Clifford scheme applied to n = m + d qubits is a QAS with security 2~ d . Where d is the number of 
qubits added to a message on to qubits. 

Proof: Sketch.fThe full proof is given in Appendix \B.lh We show that when Eve applies a non trivial Pauli operator, 
then averaging over the random Clifford operators, the effective transformation on the original state is as an application 
of a random Pauli. Hence, any Pauli attack is detected with high probability. We then show that any attack of Eve is 
reduced to a very specific form: 



(for some < s < 1). It is not hard to see, using linearity, that this type of attack is detected with high probability. □ 

Given r blocks of m qubits each, we can apply the QAS separately on each one of the r blocks. B declares the state 
valid if all of the r registers are valid according to the original Clifford QAS . We call this the concatenated Clifford 
protocol. The completeness of the concatenated protocol is trivial, reasoning as in the original QAS. For soundness we 
have the following theorem, whose proof is given in Appendix lB.2l 

Theorem 3.2 The concatenated Clifford protocol has the security of the individual Clifford with security parameter d, 
QAS, that is 2~ d . This holds regardless of the number of blocks (r) that are authenticated. 

3.3 Polynomial Authentication Scheme 

Protocol 3.2 Polynomial Authentication protocol : Alice wishes to send the state \tp) of dimension q. She chooses a 
security parameter d, and a code length m = 2d + 1. 

• Encoding: Alice randomly selects a pair of keys: a sign key k G {±l} m and a Pauli key (x, z) with i,z£ F q m . 
She encodes using the signed quantum polynomial code Ck of polynomial degree d (see Definition \2.3\l . She 
then applies the Pauli P( x ,z) for j G {1, .., to} she applies Z z i X x ' on the j'th qubit). 

• Decoding Bob applies the inverse of P( x ,z)> an d performs the error detection procedure of the code Ck- He aborts 
if any error is found and declares the message valid otherwise. 

The completeness of this protocol is trivial. We proceed to prove the security of the protocol. 

Theorem 3.3 The polynomial authentication scheme is secure against general attacks with security 2~ d 

Proof: A sketch was given in the introduction; the full proof is given in Appendix lC.il □ 

We notice that in this scheme a ^-dimensional system is encoded into a system of dimension q m = q 2d+1 . The same 

security is achieved in the Clifford QAS by encoding q into q ■ 2 d dimensions. The polynomial scheme is somewhat 

worse in parameters, but still with an exponentially good security. 

To encode several registers, one can independently authenticate each register as in the Clifford case, (Theorem |3.2t 

but in fact we can use the same sign key k for all registers, while still maintaining security. This fact will be extremely 

useful in Sec. [4] The following theorem is proved in Appendix IC. 21 

Theorem 3.4 The concatenated polynomial based QAS (with the same sign key for all registers), and with degree d 
polynomial, has the same security as the individual QAS, that is: 2~ d . 




(4) 
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4 Interactive Proof For Quantumness 



4.1 Clifford Authentication Based Protocol 

Protocol 4.1 Clifford based Interactive Proof for Q-CIRCUIT: Fix a security parameter e. Given is a quantum circuit 
consisting of two-qubit gates, U = Ut- ■ -U\, with error probability reduced to < 5. The verifier authenticates the input 
qubits of the circuit one by one using the (concatenated) Clifford QAS with security parameter d = [log -~\, that is 
every qubit is authenticated by d + 1 qubits, and sends them to V. For each i = 1 to m, the verifier asks the proverfor 
the authenticated qubits on which he would like to apply the gate Ui, decodes them, aborts if any error is found, applies 
the gate, authenticates the resulting qubits using a new pair of authentication keys, and sends the encoded qubits back 
to V. Finally, the verifier asks V to send the output authenticated qubit, decodes and aborts if any error is found; 
otherwise, measures the decoded qubit and accepts or rejects accordingly. In any case that V does not get the correct 
number of qubits he aborts. 

Theorem ll.il For any e, 6 > Protocol l4.1l is a QPIP protocol with completeness 1 — 6 and soundness 6 + e for 
Q-CIRCUIT. 

Proof: If the prover is honest, the verifier will declare valid with certainty. Since the error in the circuit is < 6, (1 — 6) 
completeness follows. For soundness, we observe that for the verifier to accept if x is not in the language, means that 
he has not aborted, and also, answers YES. Let us denote by P oa d the projection on this subspace (Valid on the first 
qubit, Accept on the second). To bound the probability of this event, we observe that the correct state at any given step 
is a state which is authenticated by the concatenated Clifford QAS. We can thus use the decomposition of Eve's attacks 
to Paulis, namely Eq. [33] Observing that a Pauli attack in our scheme is either declared valid or leads to abort, implies 
that the final density matrix can be written as 

Pfinai = (a QPo + a cPc ) ® \VAL) (VAL\ + a. x p x g> \ABR) (ABR\ , (5) 

where p c is the correct state. To bound Ti(PbadP final ) we observe that the left term in bounded by the security parameter 
of the QAS, namely e, the second term is bounded by the error caused by the quantum circuit, namely 5, and the third 
term vanishes. □ 

The classical communication is linear in the number of gates. For e = i, we get d = 1, and so the verifier uses a 
register of 4 qubits. In fact 3 is enough, since each of the authenticated qubits can be decoded (or encoded and sent) on 
its own before a new authenticated qubit is handled. 

4.2 Polynomial Authentication Based Protocol 

We start by describing how the prover performs a set of universal gates on authenticated qubits, using classical 
communication with the verifier, and special states called Toffoli states. This set of operations, namely Clifford group 
operations augmented with the Toffoli gate, form a universal set of gates |BOCG + 06l . 

Application of Quantum Gates We denote encoded gates (logical operators) with a tilde. For the full description of 
how to apply each of these logical gates see Appendix ID. 11 Briefly, for Pauli operators, the verifier merely updates 
his Pauli key. For the control-SUM, and the Fourier transform, the prover applies the gates transversally as if the code 
was the standard polynomial codes, and the verifier updates his sign and Pauli keys. For the measurement, the prover 
measures the register, sends the result to the verifier, who returns its interpretation which he computes using his keys. 
The Toffoli gate is applied using the above, on the relevant authenticated qubits plus an authenticated Toffoli state 
1BOCG+061 . 

Protocol 4.2 Polynomial based Interactive Proof for Q-CIRCUIT Fix a security parameter e. Given is a quantum 
circuit on n qubits consisting gates from the above universal set, U = Ut- ■ -U\. We assume the circuit has error 
probability < 6. The verifier sets d = [log =■] and uses 3 registers of m = 2d + 1 qudits each, where each qudit is of 
dimensionality q > m. The verifier uses concatenated polynomial QAS with security parameter d to authenticate n 
input qudits and the necessary number of Toffoli states. This is done sequentially using 3m qudits at a time. Then, the 
prover and verifier perform the gates of the circuit as described above. Finally, if the final measurement does not yield 
an authenticated answer, the verifieraborts, otherwise, he accepts or rejects according to the measurement outcome. 

Theorem 4.1 Protocol \4.2\ is a QPIP protocol with completeness 1 — 5 and soundness 5 + ( for Q-CIRCUIT. 



8 



This theorem implies a second proof for Theorem ll.il The size of the verifier's register is naively 3m, but using the 
same idea as in the Clifford case, m + 2 suffice. With e = 1/2, this gives a register of 5 qutrits. 

Proof: (Sketch. The full proof can be found in Appendix \D.2i The completeness is trivial, similarly to the Clifford case. 
To prove the soundness of the protocol we first prove the following lemma. 

Lemma 4.2 At any stage of the protocol the verifier's set of keys, k and {(x, z)j}" are distributed uniformly and 
independently. 

This implies that the correct state in an encoded states according to the concatenated QAS. The rest of the argument 
follows closely that of the proof of Theorem ll.il □ 
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A Polynomial Quantum Error Correction Codes 

Definition A.l Polynomial error correction code KABQ97^ . Given m, d, q and {cti} m where ai are distinct non zero 
values from F q , the encoding ofa(^F q is \ S a ) 

\Sa) = ^= £ |/( ai ),..,/K0) (6) 

V9 f:def(f)<dj(0)=a 

We use here m — 2d + 1, in which case the code subspace is its own dual. It is easy to see that this code can detect 
up to d errors IABQ971 . It will be useful to explicitly state the logical gates of SUM, Fourier (F) and Pauli operators 
(X, Z). We will see that it is possible to apply the logical operations of the Pauli operators or the controlled-sum by a 
simple transitive operation. We can easily verify that applying X® rn is the logical X operation: 

X\S a )=X° m -j= £ \f( ai ),...,f(a m )) 

V9 f:def(f)<dj(0)=a 

=4= £ |/(ai) + l > ...,/(o m ) + l) 

V9 f:def(f)<d,f(0)=a 

setting f'(a) = f(a) + 1 

J2 \f'(a 1 ),...,f'(a m )) 



1 f':deg(f')<dj'(0)=a+l (8) 
= 1-5(0+1)) 

Similarly for logical SUM , we consider the transitive application of controlled-sum, that is a SUM operations applied 
between the j'th register of \S a ) and \Sb) ■ 



SUM\S a )\S b )={SUM)® m - d £ \f( ai ),...J(a m )) £ \h( ai ), . . ., h(a m )) 

q /(0)=o h(0)=b 

= ~d £ \f{ai) 7 ---,.f{a m ))\h(a 1 ) + f(a 1 ),...,h(a m ) + f{a m )) 



q /(0)=o,h(0)=6 



We set g(a) = /(a) + fo(a) 



•••=-rf £ ■ ■ ->/(am)) Iff(ai), . . .,g(a m )) 

q /(0)=o, ff (0)=o+6 (10) 
= |<Sa) |5 a +b) 

Showing what is the logical Fourier transform on the polynomial code requires more work. We first recall the 



definition of the Fourier transform in F q : 



F\a) * 4=5>?l 6 > (ID 
V 9 6 



We consider an r-variant of the Fourier transform which we denote F r 

F r \a) ( 12 ) 

In addition we need the following claim: 

Lemma A.l For any m distinct numbers {ctj}™ there exists {cj}5" smc/z f/ia? 

m 

£>/(<*) = /(°) (13) 

i=l 

For any polynomial of degree < m — 1. 
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Proof: A polynomial p of degree < m — 1 is completely determined by it's values in the points . We write p as in the 
form of the Lagrange interpolation polynomial: f(x) = J^i Yij^i a~-a- f( a j)- Therefore, we set Cj = Ylj^n a~a 
and notice that it is independent of p, and the claim follows. □ 
We are now ready to define the logical Fourier transform. 

Claim A.2 The logical Fourier operator F obeys the following identity: 

F \8 a ) = F C1 ® F C2 ®. . .®F Cm \S a ) = q- m/2 E&< |^) ( 14 ) 
Where Sb is the encoding ofb in a polynomial code of degree m — d on m registers. 
Proof of Claim|A2l We denote |/) = . . ., f(a m )) 

F C1 ®F C2 ...(g> F Cm \S a ) = q- d/2 F Cl g> F C2 (g>. . .<Z>F Cm ^ \p) (15) 

f:def(f)<dj(0)=a 

= q-^ q -m,2 J2 £ & Cd{<Xi)bi \b U ...,b m ) (16) 

f:def(f)<d,f(0)=ab 1 ,...,b m 

We think of the bi's as defining a polynomial g of degree < m — 1 that is g(cti) = 6, and split the sum according to 

5(0): 

... = g-Cm-HO/a E E E W p^/(«0 S («0 1^ (17) 

f:def(f)<d,f(0)=a b g:deg{g)<m-l,g{Q)=b 

We temporally restrict our view to polynomials g with degree at most m — d — 1 and therefore the polynomial /g 
has degree at most m — 1. We use Lemma |A~T| on /g: 

m 

=/ 5 (0) =a6 (18) 

i=l 

Going back to Eq. [17] 

j-^/aj-j-^c.c/.X-*)^ = ^(^/a 5-5-^^ (19) 

Where the summation is over all /, g such that /(0) = a and g(0) = b while the degrees of / and g are at most d and 
m — d — 1 respectively. 

The sum does not depend on / and there are exactly q d polynomials / in the sum, therefore, we can write the 
expression as : 



<r (m+d)/2 E^E<l5> 

beF q g 

J_ V - afc 1 V 

./a Z— 1 q ^J q m~d-l ^ 

Sb , 



-7= "1 l Qm -d-x 2^ W (20) 

v ^6eF, Vy g:deg{g)<m-d-l,g(0)=b 

Since the above expression has norm 1, if follows that the coefficients that we temporally ignored at Eq.[T7]all vanish. 

□ 



Corollary A.3 Ifm = 2d + 1 then it follows from Claim \A.2\ that the code is self dual. 
Claim A.4 The logical Pauli Z operator Z is Z C1 ®. . .®Z Cm . 

The proof of this claim is omitted since it is extremely similar to the proof of Claim lA2l 
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B Clifford Authentication Scheme 



B.l Security Proof of Clifford QAS 

Proof of Theorem l3.ll We denote the space of the message sent from Alice to Bob as AI. Without loss of generality, 
we can assume that Eve adds to the message a system E (of arbitrary dimension) and performs a unitary transformation 
U € U(M g) E) on the joint system. We note that there is a unique representation of U = X)pgp P ® Up since the 
Pauli matrices form a basis for the 2" x 2" matrix vector space. We first characterize the effect that Eve's attack has on 
the unencoded message: \tp) <X> |0)® d . 

Claim B.l Let p = (g) |0)® d be the state of Alice before the application of the Clifford operator. For any attack 
U = P ® Up by Eve, Bob's state after decoding is A4 s (p), where s = Tr(UjUj). 

We proceed with the proof of the theorem. From the above claim we know what Bob's state after Eve's intervention 
is and we would like to bound its projection on P^: 

Tr(j>|*>(ap+Azl £ QpQt)) = sT r(if>p) + A_l £ Tr(P^QpQ^) (21) 

Q€P n \{i} QeP n \m 

By definition of P-J^ we see that Tr(pj^ p) = 1. On the other hand: Tr(pJ^' ' QpQ^) = 1 when Q does not flips any 
auxiliary qubit, and vanishes otherwise. The Pauli operators that do not flip auxiliary qubits can be written as Q' (g) Q" 
where Q' G P m and Q" G {X, Z}® d . It follows that the number of such operator is exactly 4 m 2 d . Omitting the identity 
I n we are left with 4 m 2 d — 1 operators which are undetected by our scheme. We return to Eq.l2TI 

4 m 2 d — 1 

••• > • + (!— )(i-- 5 rrr ) (22) 

1 - s 

= (24) 

The security follows from the fact that s > 0, and hence the projection is bounded by 1 — wj. 

□ 

We remark that the above proof in fact implies a stronger theorem: interventions that are very close to I are even 
more likely to keep the state in the space defined by . 

What remains to prove is Claim IbTI which is stated above. To this end we need three simple lemmata: 

Lemma B.2 Fix a non-identity Pauli operator. Applying a random Clifford operator (by conjugation) maps it to a Pauli 
operator chosen uniformly over all non-identity Pauli operators. More formally, for every P,Q € P n \ {1} it holds 
that: \{C e <L n \C^PC = Q}\ = = 

Lemma B.3 Let P ^ P' be Pauli operators. For any p it holds that: X)ce£„ PCpC^ P'C = 0. 
Lemma B.4 Let U = X)pgp P ® Up be a unitary operator. For any density matrix p: 

Tr{U P pU P ) = l (25) 
Assuming these lemmata we are ready to prove the claim: 

Proof of Claim lBTl Let U = Sp e p„ P ® U P be the operator applied by Eve. We denote p = \ip) ® |0) (0| the 
state of Alice prior to encoding. Let us now write the state of Bob's system after decoding and before measuring the d 
auxiliary qubits. For clarity of reading we omit the normalization factor |(£„| and denote the Clifford operation applied 
by Alice (Bob) C (C+): 

PBob = Tr B ( J2 {C®I E ) ] U ({C®I E )p{C ®1e)^ ® Pe)U\C ®1e)\ (26) 

cec„ 

= Tr B ( (C®ZE^P®Up((C(Z>I E )p(C(Z>lE) il ®Pe)P' ®U P ,(C(Z>I E )) (27) 

p,p'gp„ ce<£„ 
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Regrouping elements operating on M and on E we have: 

...=Tr E ( E {&PCp&P'C)®U P p E U P , 

PP'EP„ CG£„ 

= E E (CftPCpCftP'C) ■Ti(U P p E U P ,) 



(28) 



P,P'SP„ CG£„ 

We use Lemma lBJl and are left only with P = P' 

■■■= E E (tfPCptfPC)-Tr(U P p E U PI ) (29) 



pep„ Cec„ 

We first consider the case were P =1, then: 



]T C+PCpCtpC = \tn\p (30) 
ce<£„ 



On the other hand when, P ^ X by Lemma 



if 

cee„ Q6P\{x} 1 



Plugging the above two equations in Eq. 



= \€ n \pTr(U lPE Ul) + Yl E {QpQ^WYnHUpPEUp, 

PGP„\{I}Q6Pn\{I} ' 

1 QeP„\{x} 



(32) 



We use Lemma lB.4l and so Bob's state after renormalization can be written as: 

{1-8) 



sp 



y E (®p&) w 



4 

Q6P„\{X} 



For s = Tr(UxpUj), which concludes the proof. □ 
Finally, we prove the lemmata stated above: 

Proof of Lemma |B.2| We first claim that or every Q,P E P n \ X there exists D E € n such that D^PD = Q. We 
will prove this claim by induction. Specifically, we show that starting form any non identity Pauli operator one can, 
using conjunction by Clifford group operator reach the Pauli operator X ® J®" -1 . 
We first notice that the swap operation is in £2 since it holds that: 

SWAP k . k+1 = CNOT k ^ [k+l) CNOT {k+1) _> k CNOT k ^ (k+1) (34) 

Furthermore, we recall that K^(XZ)K oc X and H^ZH = X. Therefore, any Pauli P = Pi®. . .®P n can be 
transformed using SWAP, H and K to the form: X m ® X® n ~ k (up to a phase). To conclude we use: 

CNOTl^ 2 {X l ®X 2 )CNOT 1 ^2 = X®X (35) 

which reduces the number of X operations at hand. Applying this sufficiently many times results in reaching the desired 
form. Since this holds for any non-identity Pauli operators: P, Q we know there are C, D E £ n such that: 

X®X® n ~ 1 = C ] PC = D^QD (36) 
=> DC f PCD f = Q (37) 

therefore CD^ is the operator we looked for. We return to the proof of the Lemma, let us first fix some Q 7^ X, it will 
suffice to prove that for any P, P' the set A P ^ P , = f {C E £ n |C t PC = P'} is of a fixed size. We set D E £ n such that 
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D^PD = Q then it holds that: CD G Aq )P > C G Ap P / therefore |Ap,p'| = |Aq >P /|, and |v4.q/ >P /| = \A QtP \ 

follows trivially. 

We use the fact that the sets {Ap q : VP} is a partition of (£„, and that all Apq have the same size: 

|£„|= \ A P>,Q\= (4"-1)|^p,q| (38) 

P'eP„\x 

Which concludes the proof. □ 

Proof of Lemma |B.3l Since P 7^ P' we know there exists an index i such that Pj ^ P/ that is: 

P = X a Z b Pi = X a 'z b ' (39) 

where (a, 6) 7^ (a', 6'). let us define Q t = X]~ h ~ h ' Z\~ a ~ a ' ® I. We notice that {Qi®X)C G £„ and furthermore any 
operator in can be written in this form. We write Q^C instead of (Qj Cg) X)C for simplicity. 

^ CtPGp^P'C = Y (Qirf P(QiC)p(QiCy P'iQtC) (40) 
ce<£„ QiCe€ n 

= Y C^QlPQiCpC^QlP'QiC (41) 

It is easy to check that Q commutes with either P' or P and anti-commutes with the other. Therefore: 

... - (-1) Y &Q\Q i PCptfQ\Q i P'C (42) 

= (-1) Y C^PCpC^P'C (43) 

QiCe£„ 

= (-1) Y tfPCptfP'C (44) 

ce£„ 

This concludes the proof since the sum must vanish. 

□ 

Proof of Lemma lB.4l We analyze the action of U on the density matrix I®t. We first notice that since U is a trace 
preserving operator, that is: Tr(U(T <g> t)U>) = Ti(T (g) r) = 1. On the other hand it holds that: 



Tt(U(X<8)t)U1) = Y Tr (( p ® U p )(1®t)(P' ® l/p/)+) (45) 
pp'eP„ 

^ Tr(PJP' f ® UprUp,) (46) 
PP'ep„ 

5^ Tr(PP' t )Tr(P P r?7 P ,) (47) 



pp'eP„ 

If P ^ P' then Tr(PP't) = 0, and therefore: 

...= Y M^MUprUl] 

P6P„ 

PeP„ 

It follows that 1 = X)pgp Tr(/7pT/7 P ), which concludes the proof. 

□ 
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(48) 



B.2 Concatenated Clifford QAS 



Proof of Theorem l3.2l From Claim iBTTl we know that any attack by Eve on an authenticated register is equivalent 
to an effect of the mixing operator A4 S , on the unencoded message space. We notice that any attack on the concatenated 
protocol is in fact equivalent to separate attacks on the different registers. This fact follows from the fact any individual 
attack can be broken down to attacks of the form M s , specifically for r = 2: 

PBob^vJ-^ {C 1 ®C 2 ^E{{C 1 ®C 2 ){p 1 ® P2 ){C 1 ®C 2 )^){C l ®C 2 ) 

1 CuCaetn 



= W~^ E E a PtQ (P®Q){C 1 ®C 2 ){p 1 ®p 2 ){C 1 ®C 2 )^{P®Q)^ 
= E a ^(wi E (ClPC^Cl^C^) ® (-?- £ {C\QC 2P2 CWC 2 )) 



\<t I i-^< v 1 lri 1 M£ I 

p,<2sp„ 1 1 Ciec„ 1 C 2 e£„ 



We denote A4 s (p) = p, and use Lemma IBT21 it holds that: 

• • • = ax,i(pi ® Pi) + ( ap,Q)(pi ® /02) + ( E «p,i)(pi ® P2) + ( X! Q^qHpi ® P2) (50) 

p,q#jgp„ p#igp„ Q#rep„ 

Bob does not abort, if both individual Clifford QAS are valid. From the security of the individual QAS we know that 
Tr((P Pl )B{pi)) < 2~ d where B is Bob cheat detecting procedure. We also notice that P Pl ® P2 = P Pl ® P P2 . We first 
rewrite Eq.|50]more clearly: 

. . . = s(pi ® p 2 ) + Mpi ® P2) + r(pi ® p 2 ) + <& P2) (51) 
and using the above observations we have: 

Tr (P pl ® p2 P {s( Pl ® p 2 ) + h(pt ® p 2 ) + r(pi <g> ? 2 ) + t(j5i ® &))) - s ■ + q ■ 2~ d + r ■ 2~ d + t ■ T d ■ T d 

<{l-a)2- d 

(52) 

Where the inequality holds since s + q + r + t= 1. 

The claim for r > 2 is follows the exact same lines and therefore is omitted. 

□ 

C Polynomial Authentication Scheme 

C.l Security Proof of Polynomial QAS 

C.l.l Security Against Pauli Attacks 

Lemma C.l The polynomial QAS is secure against (generalized) Pauli attacks, that is, in the case where the adversary 
applies a Pauli operator. In this case the projection of Bob's state on the space spanned by Pi \ip) is at least 1 — 2~ d . 

Proof: Let us consider the effect of a Pauli Q operator on the signed polynomial code Ck- We first show that with 
probability 1 — 2~ d over the sign key k, the effect of Q is detected by the error detection procedure. 

Let Q x 7^ X be a Pauli operator Q x = X Xi ®. . .®X Xm where x £ F™. The effect of Q x on the code is an addition 
of Xi to the i'th qubit. This addition passes the error detection step only if coincides with the values of a signed 
polynomial of degree at most d. We consider two cases depending on the weight of x: 

• If \x\ < d: let us denote by g the polynomial that satisfies \/ i k i g(a i ) = Xi, since Q x ^Iwe know that g 7^ 0. 
then g has at least m — d zeros. Since g is nonzero it must have degree at of least: m — d = d + 1. Such an attack 
will be detected with certainty by the error detection procedure. 
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• Otherwise, assume without loss of generality that Xi ^ for i < \x\. There is exactly one polynomial / of degree 
at most d such that V 4 >d+i kif(cti) = Xi. For the attack of Eve to be undetected x must agree with / on the 
remaining coordinates as well: 



Pr(Vi<d x t = hf(a t )) = ttlMfci = a\ r V(aO) (53) 

h h 

4=1 

Equality holds since: ki are independent, fcj = k^ 1 and 7^ for i < d. Since fc; = c with probability at most 
half we conclude that the probability that Eve's attack is undetected is at most 2 



-d 



Now that we have proved the claim for operators of the form Q x , we handle the general case. Pauli Z are mapped in 
the dual code to X operators. Since the signed polynomial code is self dual, Q z attacks will be caught with probability 
1 — 2~ d as well. To conclude the proof we notice that detection Q x attacks do not depend on the existence Q z attacks, 
therefore, a non identity operator Q x ,z = PzPx will be detected with the correct probability since either x or z must be 
non trivial. 

What remains is to notice that the Pauli randomization P xz simply shifts any attack Q on the authenticated message 
to a different Pauli. That is the effect on the signed polynomial code is PJ Z QP X _ Z . We conclude that any Pauli operator 
acting on the polynomial QAS is detected with a probability of at least 1 — 2~ d as claimed. □ 

C.1.2 Security Against General Attacks 

We start with a generalization of Lemma lBJl for generalized Pauli operators. 

Lemma C.2 Let P ^ P' generalized Pauli operators. Then: X^Qep m Q^PQpQ^P'^Q = 

The proof follows the same line as Lemma HOI 
Proof of Lemma|C2] Let P ^ P' be generalized Pauli operator P = X a Z b and P' = X a ' Z b ' . 

q~l 

J2 Q^PQpQ^P'^Q = J2 {x c z d yx a z\x c z d ) P {x c z d )Hx a 'z b ')\x c z d ) (54) 

QSP m d,c=0 

We use the fact that Z d X c = uj dc X c Z d and some algebra: 

q-l 

... = u q i{a ~ a ' )+c{b ~ b ' ) X a Z b pZ- b 'x~ a ' (55) 

d,c=0 

q-l q-l 

= X a Z b pZ- b 'x- a 'J2uj c q {b ~ b ' ] J2uj d( > a - a ^ (56) 

c=0 d=0 

To conclude the proof we recall that a ^ a' or b ^ b', hence one of the above sums vanishes. 

□ 

In addition we need one more simple lemma: 
Lemma C.3 For any generalized Pauli operator P 



(57) 



QeP, 



Proof of Lemma lC.3l From the observation about generalized Pauli operators in Sec. [2] we know that for any two 
generalized Pauli operators P, Q PQ = aQP where a is some phase dependent on P and Q. 



£ aPpa*P^ ™ 
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□ 

Proof of Theorem [33] The proof will follow the same lines as Theorem l3.ll For clarity, we omit the normalization 
factor |P m |. We start by decomposing any attack V s U(M ® E) made by Eve to V = J2peP ^ ® Up- Bob's state 
prior to applying the error detection procedure is: 

PBob = Tie( {Q®^e) ] V{{Q®1e)p®Pe{Q®Ie)^)V\Q®1 e )) (59) 
QePm 

= Tr E ( E {Q®l E yP®U P ({Q®l E ) P ® p E {Q®l E y)P' ®u\,,{Q®l E )) (60) 

P,P'eP m QeP m 

Regrouping elements operating on M and on E we have: 



=Tr£ ( E E {Q ] PQpQ ] P'Q)®U P p E U PI 

P,P'GP m Q£P m 

= E E Tr([/ P p B c4,) • (Q^PQpQ^P'Q) 

pp'eP m QeP m 



(61) 



We use Lemma IC2l and are left only with P = P' 

• • • = E E Tr { u PPEU P ) ■ (Q f PQ P Q^PQ) (62) 

PeP™ QeP m 

Now we use Lemma |C31 : 

• • • = E Tt^pUppe) ■ |F m |PpP t (63) 

PeP m 

We set cip = Tr(U P Upp E ^J and we rewrite Bob's state after normalization: 

ai-p+ ap-PpP^ (64) 

Pep m \{i} 

Recall that we are interested projection of Bob's state on the subspace spanned by the operator P^ . 

Tr(pj' /;) (ai-p+ Yl ap-PpP^)) = a x + £ a P Tr (p^ PpP^) (65) 

We use the bound from LemmalCTl 



... > a x + Y "p(l-2~ d ) (66) 

PGP m \{X} 

Which concludes the proof. Similarly to the random Clifford authentication scheme, the further Eve's intervention is 
closer to the identity, that is - Eve does almost nothing, then the projection on the good subspace is closer to 1. □ 



C.2 Concatenated Polynomial QAS 

When authenticating multiple registers, it may seem at first glance that Eve has the advantage of being able to tamper 
with the state by applying some transformation on the entire space. In the concatenated Clifford authentication protocol, 
the intervention of Eve is broken down to individual attacks on each register by the fact random Clifford operators are 
applied to each register independently. 

The main idea for the concatenated polynomial authentication is to use an independent Pauli key (x, z) for each 
registers, while maintaining the sign key k equal between registers. This idea will suffice to "brake up" the attack of 
Eve to a sequence of attacks on each register separately. 
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Protocol C.l Concatenated polynomial Authentication protocol: 

Alice wishes to send a state \ip) G (C q )® r that is r q-dimensional systems. For a security parameter d, set m = 2d + 1. 
Alice randomly selects a single sign key k g {±l} m , furthermore, Alice selects r independent Pauli keys (xj, zf). 

To encode \ip) Alice encodes each q-dimensional system using the signed polynomial code specified by k. Addition- 
ally, Alice shifts the j 'th encoded message by P( x .y.y 

Bob decodes each message separately, if all messages are correctly authenticated Bob dealers as valid the concate- 
nated message, otherwise Bob aborts. 



We now prove Theorem l3.4l 

Proof of (: of Theorem 13. 41 We notice that all the reasoning in Theorem [33] till Eq. [66]hold in this case as well. So 
we have that the projection on the good subspace P^ is equal to: 

ai+ a P Tr (P^ } PpP^ (68) 

P£P r . ra \{I} 

We start by writing Tr^j^PpPt) = 1 - Tr(P^ } PpP^). We recall that P here is a Pauli operator from the group 
P m . r so we write: P = P(i)<8>. . .<XP( r ). 

Lemma C.4 The probability for Bob to befooled by the application of P ^ I is at most 2~ d . 

Proof: For PpPt to be in P^ it must be the case that for all j such that P(j\ ^= T Eve escapes detection (Bob does not 
abort although the register is "corrupted"). We note that Bob declares as valid the remaining registers (where Pu\ = I) 
with certainty. We assume without loss of generality that Pf!) ^ I, we write the probability that Bob is fooled: 

Pr {Bob is fooled by P) = Pr j:Pu)¥ , x Bob is fooled by P (j) ) (69) 

< Pr (Bob is fooled by P {1) ) (70) 

< 2- d (71) 

Where the last inequality holds by Lemma lCTl □ 
Plugging this result into Eq. |66]we have: 

... = «!+ ]T a P (l-Ti{pMppP^ (72) 

Pev r . m \{i} 

> «i+ a P (l-2- d ) (73) 

PeP r . m \{x} 

1 - a x s 



2 d 



(74) 



Which concludes the proof. □ 



D Polynomial Authentication Based QPIP 
D.l Secure Application of Quantum Gates 

We have seen in Sec. l2.2l how to perform operations on states encoded by a polynomial code. In this section we present 
a way for the prover to apply certain operations on a signed shifted Polynomial error correcting code. This can be done 
without compromising the security of the authentication scheme. 

The main idea is that the transitive operation performed on the signed Polynomial code have almost the desired 
effect on the state at hand. The verifier will only need to update his keys (x, z) for the provers action to have the desired 
effect on the state. 

We will first show the simple and elegant fact that if the verifier wants a (generalized) Pauli applied to the state, he 
does not need to ask the prover to do anything. The only thing the verifier must do is change his Pauli keys. Then, we 
show how to perform other operations such as SUM, Fourier and Measurement. 
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• Pauli X: The logical X operator consists of an application of X kl ®, . . . ® X km where k is the sign key. We 
claim that the change (x, z) — ■> (x — k, z) will in fact change the interpretation the verifier assigns to the state in 
the desired way. 

= p x ^ k z x- {x - k ^z- z z z x x \sl) 

I a I (?5) 

= P x _ k , z (X kl ®,...®X k ™)\S k ) 
= P x ^ z X\S k ) 

• Pauli Z: Similarly to the X operator, all that is needed is a change of the Pauli key. We recall that Z = 
Z rikl ®. . .®Z Tmkm . We define the vector t to be t; = Ciki. From the same argument as above, it holds that the 
change of keys must be (x, z) — > (x, z — t). 

• Controlled-Sum: In order to remotely apply the SUM operation the prover perform transversely Controlled- 
Sum (SUM) from register A to register B on the authenticated states; as if the code was not shifted by the Pauli 
masking. However, a change in the Pauli keys is needed for the operation to have the desired effect. It is easy to 
check that: 

SUM(Z ZA X XA ® Z ZB X XB ) = (Z ZA ~ ZB X XA ® Z ZB X XB+XA )SUM (76) 

Which implies that the same hold for the logical operation SUM, and the Pauli shift P( x<z ) that is: 

SUM{P {xa , za) ®P {wb) ) = (P( XA , ZA - ZB )®P( XB+XA , ZB ))SUM (77) 

Hence, the verifier must change the pair of keys (xa,Za), (%b,zb) to (xa, za — zb) and (xb + xa, zb), for the 
SUM to have the desired affect on the state. 

• Fourier: The prover performs Fourier transversely on the authenticated state. We recall that the Fourier operation 
swaps the roles of the X and Z Pauli operator. FX X F^ = Z x and FZ Z F^ = X~ z . This is true for each register 
separately and hence: 

F- Z Zl X Xl <g> . . . <g> Z Zm X Xm =X~ Zl Z Xl <g> . .. ® X~ Zm Z Xm F 

(78) 

~Z Xl X~ Zl ® . . . ® Z X ™X- Z ™ ■ F 

Where the last equality is up to a global phase. 

Therefore the verifier must change the key (x, z) to (—z, x). 

• Measurement in the standard basis: The prover measures the encoded state in the standard basis, send result 
to the verifier. Using the x part of Pauli key, and the knowledge of k, the verifier interpolates the polynomial 
according to values in the received set of points. If the polynomial is indeed a polynomial of low degree (which 
is always the case if the prover is honest) the verifier sends the encoded value to the prover. Otherwise, the prover 
is caught cheating and the verifier aborts. 

• Toffoli: The (generalized) Toffoli gate is applied using Clifford group operations on the Toffoli state - J2 a b l a ' a fy 
( llBOCG + 06[fNCG00n . The application of a Toffoli gate in such a way does not imply a change of keys directly. 
Changes are made with respect to the actual operations that were performed. 

D.2 Proof of Lemma l42l 

Lemma [4.21 At any stage of the protocol the verifier's set of keys, k and {(x, are distributed uniformly and 

independently. 

Proof of Lemma |4.2| Before any gate is applied the claim holds. All that needs to be done it to check that all 
changes keep this desired property. 

The sign key k does not change during the protocol so in this case the claim is trivial. At every step at most two pair 
of Pauli keys change, let us review the possible changes (see Appendix ID.ll i and verify that the claim holds: 
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• Changes from the Pauli operators and Fourier transform induces shift, swap or negation changes to the keys; all 
of them preserve the uniform independent distribution trivially. 

• The SUM operation involves two set of keys (xa, za), (xb, zb) which change to {xa, za — Zb) and (xb + 
xa, zb)- The sum xb + xa, is mod q hence it is distributed uniformly, in addition it is not hard to see that 
is independent of xa- The same holds for za — zb and zb- Other parts of both keys are trivially distributed 
correctly. 

• When the prover measures in the standard basis an authenticated qubit the outcome of the measurement is 
distributed uniformly at random in F™, Specifically, the outcome does not depend on the sign key or the 
information that is authenticated. Therefore, even when the prover has the interpretation of his measurement 
outcome, he does not gain any information about the sign key k or the Pauli keys of other registers. 

□ 

E Fault Tolerant QPIP 

For the interactive proofs described above to be relevant in a any realistic scenario, dealing with noise is necessary. We 
will present a scheme based on the polynomial QPIP, that enables us to conduct interactive proofs in the presence of 
noise. 

Theorem 11.31 Theorem 17.71 holds also when the quantum communication and computation devices are subjected to 
the usual local noise model. 

Proof: (Sketch) Our proof is based on a collection of standard fault-tolerant quantum computation techniques. Care 
must be given to the fact that the verifier is the only one who can authenticate qubits, while he cannot authenticate many 
qubits in parallel. 

The proof can be divided into three stages. 

In the first stage, the prover receives authenticated qudits from the verifier, one by one. Each qudit is authenticated 
on m qudits. The prover ignores the authentication structure and begins encoding each qubit out of the m qubits 
separately using a concatenated error correction code, with total length which is polylogarithmic, as is required for the 
fault tolerance scheme in 1ABQ971 . From the work of IABQ971 [KLZ98I (and others) we know that this encoding can 
be done in a fault tolerant way, such that if the error probability was less than some threshold 77, then the encoded qudit 
is faulty (namely, has an effective error) with probability at most rf , where 77' is a constant that depends on and other 
parameters of the encoding scheme, but not on n. We denote this concatenated encoding procedure by S. 

Since each authenticated qudit sent to the prover is encoded using a constant number (m) of qudits, it follows that 
with a constant probability, if all these qubits are effectively correctly authenticated. In other words, the encoding of 
\S%), (5(g). . .®5) |S£), has no effective faults with probability rj" . 

Once a qudit has been encoded by the prover, he can keep applying error corrections on that qudit, and thus, can 
keep its effective error below some constant for a polynomially long time. Polynomially many authenticated qudits are 
sent this way to the prover. 

In the second stage a purification procedure is performed on the authenticated messages, which are now protected 
from noise by the prover's concatenated error correction code. Since the purification is of the authenticated qudits, 
it is done according to instructions from the verifier. As explained in Appendix ?? the verifier can also interpret 
measurements outcomes for the prover, which are needed for the purification procedure. We need to purify both input 
qubits which are w ithout loss of generality |0), and Toffoli states. Any standard purification procedure (for example, 
that of |BOCG + O6l ) would work for the |0) states. In order to purify the Toffoli states we use the purification described 
in ||BOCG + O6l . The purification procedure uses polylogarithmically many qubits in order to provide a total error of at 
most pol .^ nT j , where T is the number of gates in the circuit U that will be computed by the prover. This means (using 
the union bound) that with probability at most A all purified states are effectively correct. 

Finally, having with high probability, correct input states, the polynomial QPIP (Protocol 14.21 ) is executed. The 
prover applies logical operations (SUM,F and measurements) on his registers which contain authenticated qubits. In 
particular, a logical measurement of the output bit of the computation is executed by the prover at the end of the 
computation. The result is then sent to the verifier who subsequently interprets it according to his secret key. 
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The soundness of the this fault tolerant QPIP is the same as that of the standard QPIP. In fact, in this scheme, 
the verifier ignores the prover's overhead of encoding the input in an error correcting code, and performing encoded 
operations. The verifier can be thought as performing Protocol [4.2l for a purification circuit followed by the circuit he is 
interested in computing. Therefore, the security proof of Theorem 14. 1 1 proves in fact that applying the purification and 
computation circuits, has the same soundness parameter as the standard QPIP. 

Regarding completeness, the fact that the prover's computation is noisy changes the error probability only very 
slightly. There is a probability A that one of the input authenticated states is effectively incorrect; Once they are 
all correct, the fault tolerance proof implies that they remain correct the entire computation with all but an inverse 
polynomial probability. Therefore, if the standard QPIP protocol has completeness 1 — 6 — e the completeness of this 
scheme is bounded by 1 — S — e — 2 A. □ 



Definition F.l [AS06, BFK08] \Chi01]l Secure blind quantum computation is a process where a server computes a 
function for a client and the following properties hold: 

• Blindness: The prover gets no information beyond an upper bound on the size of the circuit. Formally, in a blind 
computation scheme for a set of function $ n the prover's reduced density matrix is identical for every f £ $ n . 

• Security: Completeness and soundness hold the same way as in QAS (Definition \3.1\l . 
Theorem^ There is a blind QPIP for Q-CIRCUIT. 

We use the QPIP protocols for Q-CIRCUIT in order to provide a blind protocol for any language in BQP. We use 
the simple observation that the input is completely hidden from the prover. This holds since in both QAS presented 
the density matrix that describes the prover's state does not depend on the input to the circuit. Specifically, due to the 
randomized selection of an authentication, the prover's state is the completely mixed state. We also use in the proof 
of this theorem the notion of a universal circuit. Roughly, a universal circuit acts on input bits and control bits. The 
control bits can be thought of, as a description of a circuit that should be applied to the input bits. Constructions of such 
universal circuits are left as an easy exercise to the reader. 

Having mentioned the above observations, a blind computation protocol is not hard to devise. The verifier will, 
regardless of the input, compute, with the prover's help, the result of the universal circuit acting on input and control 
bits. 

We first formally define a universal circuit: 
Definition F.2 The universal circuit !dn,k ac ts in the following way: 



Where c(U) is the canonical (classical) description of the circuit U. 

Proof of Theorem 1 1.41 We prove that both the Clifford based QPIP and the Polynomial QPIP can be used to create 
a blind computation protocol. We claim that the state of the prover through the protocols is described by the completely 
mixed state. This is true in the Polynomial scheme since the Pauli randomization does exactly that. Averaging over all 
possible Pauli keys, it is easy to check that the state of the prover is described by X. Furthermore, the prover gains no 
information regarding the Pauli key during the protocol, therefore, the description of the state does not change during 
the protocol as claimed. 

Since the above holds for any initial state, it follows that the prover has no information about the initial, intermediate 
or final state of the system. 

To see that the same argument holds for the Clifford QAS, it suffices to notice that applying a random Clifford 
operator "includes" the application of a random Pauli: 



F Blind QPIP 



it™,* |0> <8> \c(U)} 



u\4>) \c(U)} 



(79) 




(80) 
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Equality holds for any Q £ £„ since it is nothing but a change of order of summation. 



E £ c ^ cf (81) 

qgp„ 1 1 1 1 cec„ 

^E^E C{ QP QW (82) 

l^E^E (<wj*))o ob) 

1 1 c6£„ 1 QeP„ 

IT^E^^ ( 84 ) 

I (85) 



□ 



G Interpretation of Results 

Proof of Corollar Ml.51 Let us first deal with the Clifford based QPIP. We assume that the soundness of the scheme 
is 5 and that the prover applies a strategy on which the verifier dose not abort with probability 7. The final state of the 
protocol before the verifier's cheat detection can be written as (see Eq. 



SPc 



(1-8) 



f J2 (QpcQ^) (86) 



4' 

QGP„\{X} 



Where p c is the correct final state of the protocol. After the verifier applies the cheat detection procedure B (which 
checks that the control registers are indeed in the |0) state): 

s Pc ® \VAL) (VAL\ + a rejPrej <E> \ABR) (ABR\ + a badPbad ® \VAL) (VAL\ (87) 
Assume the verifier declares the computation valid, then his state is: 

Sp c + abadPbad 

1 a re j 

then the trace distance to the correct state p c is bounded by: 



\VAL) (VAL\ (88) 



^ s ^ abad _ Zabad < 25 

1 - a rej 1 - a rej 1 - a re j ~ 7 

Were the inequality follows from the security of the QPIP protocol: ab a d < ^> an d the fact that the non-aborting 
probability 7 is equal to ab a d + s - 

The proof that the Polynomial based QPIP has the same property follows the exact same lines. □ 



H Symmetric Definition of QPIP 



The definitions and results presented so far seem to be asymmetric. They refer to a setting where the provers wishes 
to convince the verifier solely of YES instances (of problems in BQP). This asymmetry does not seem natural neither 
regarding the complexity class BQP nor in the cryptographic or commercial aspects. In fact, this intuition is indeed 
true. 

Apparently, we can provide a symmetric definition of quantum prover interactive proofs, and show that the two 
definitions are equivalent. Essentially, this follows from the trivial observation that the class BQP is closed under 
complement, that is, C G BQP <*=S> C c £ BQP. 

To see this, let us first consider the symmetric definition for QPIP. 
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Definition H.l A language C is in the class symmetric quantum prover interactive proof (QPIP'' ym ) if there exists an 
interactive protocol with the following properties: 

• The prover and verifier computational power is exactly the same as in the definition of QPIP (Deiinition \l.l\ . 
Namely, a BQP machine and quantum-classical hybrid machine for the prover and verifier respectively. 

• Communication is identical to the QPIP definition. 

• The verifier has three possible outcomes: YES, NO, and ABORT: 

- YES: The verifier is convinced that x G C. 

- NO: The verifier is convinced that x (fc C. 

- ABORT: The verifier caught the prover cheating. 

• Completeness: There exists a prover V such that Va; G {0, 1}* the verifier is correct with high probability: 

Pr([V,P] {x,r) = \£)>\ 

where lc is the indicator function of C. 

• Soundness: For any prover T" and for any x G {0, 1}*, the verifier is mistaken with bounded probability, that is: 

Pr([V,P] {x,r) = l-\ c )<\ 
Theorem H.l For any language C: If C, C c are both in QPIP then C, C c G QPIP 3 ^ 

Proof: Let VciVc denote the QPIP verifier and prover for the language C. By the assumption, there exists such a 
pair for both C and C c . We define the pair V and V to be QPIP sym verifier and prover in the following way: On the 
first round the prover V sends to V "yes" if x G C and "no" otherwise. Now, both V and V behave according to 
Vc, 'Pc if "yes" was sent or according to Vc , Vc? otherwise. Soundness and completeness follows immediately from 
the definition. 
□ 

Since BQP is closed under completion, we get: 
Corollary H.2 BQP = QPIP 3 ^ 
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